Launch to Thrive

Free Business & Legal Resources for Entrepreneurs and Startups

You are here: Home / Archives for All Resources / Cybersecurity

Cybersecurity Resources

Crowdfunding Cybersecurity Entrepreneurship HR & Employment Immigration Innovation Insurance Intellectual Property International Media & Entertainment Securities Work/Life Balance

The SEC Addresses Initial Coin Offerings

All Resources// Cybersecurity// Securities

On July 25, 2017, the Securities and Exchange Commission (SEC) issued a Report of Investigation pursuant to Section 21(a) of the Securities Exchange Act of 1934 (Report) [1] and an Investor Bulletin: Initial Coin Offerings (Bulletin) [2] finally weighing in on whether virtual coins or digital tokens created and disseminated using distributed ledger or blockchain technology may be “securities” under the federal securities laws.

The answer? Maybe, depending on the facts and circumstances.

Virtual Currencies, Initial Coin Offerings, and Tokens – What are They?

Recently, the sale of blockchain-based tokens through initial coin offerings (ICOs) has become an increasingly popular financing technique used by companies to raise capital to fund the development of a digital platform, software, or other project. The sale of such tokens through ICOs has been made possible through the rapid popularization of blockchain technology, the cryptographically-secured, distributed ledger that underpins virtual currencies such as bitcoin and ethereum.

Although the mechanics of ICOs may vary, one popular method of conducting a token sale is to utilize ethereum’s ERC-20 token standard, and issue such tokens through a smart contract deployed to the ethereum blockchain. In this example, individuals may participate in an ICO by sending a certain amount of ether (the token used to transact on the native ethereum blockchain, also known as ETH) to a smart contract. In turn, the smart contract will send a corresponding amount of tokens to the wallet that initiated the transaction. Thus, at the conclusion of the ICO, the company that created the token and deployed the smart contract will likely have received ether in exchange for its own token. Similarly, users who sent ether to the smart contract will typically receive tokens, which may have a number of potential uses.

Tokens purchased through an ICO may be used to, among other things, access the platform, use the software, or otherwise participate in the project. Other tokens may function to confer certain rights on the token holder, such as ownership rights, the right to share in a portion of the organization’s profits, or the right to vote on how the organization should conduct itself.

Tokens are generally fungible. After their issuance they may be sent to other persons in a manner similar to the way ether is transacted between users. Leveraging the same benefits of blockchain technology enjoyed by other virtual currencies, token transactions are recorded on the blockchain, which, through the power of complex mathematics and cryptography, functions as a reliable transaction ledger with verifiably accurate entries.

To provide a medium for the exchange of virtual coins or digital tokens after they have been issued, platforms have developed as a secondary market for trading them. These platforms, known as virtual currency exchanges, consist of persons or entities that exchange virtual currency for a fiat currency (e.g., an underlying physical currency, such as dollars), funds, or other virtual currency. The virtual currency exchanges generally receive a fee for these exchange services.

As a result of the infrastructure described above, the use of virtual coins and digital tokens is becoming a popular method to exchange and store value, manage and exercise ownership rights, and administrate other functions. However, depending on the specific attributes of a given token, it may be considered a security under U.S. law, and therefore subject the issuer to applicable laws and regulations.

Are Virtual Coins and Digital Tokens “Securities” Under U.S. Securities Laws?

Investment Contracts are Securities. Under the federal securities laws, a security is defined to include not only the typical types of instruments that everyone understands to be a security (e.g., stocks, bonds, notes, etc.), but also “investment contracts.” [3] In the seminal case of SEC v. W.J. Howey [4], the Supreme Court defined an investment contract as:

  • an investment of money;
  • in a common enterprise;
  • with a reasonable expectation of profits;
  • to be derived from the entrepreneurial or managerial efforts of others.

The SEC will apply this test to determine whether virtual coin or digital token offerings involve the offer and sale of securities subject to the federal securities laws. The first three prongs of the test generally are easy to apply, especially when the marketing materials or white papers for the offering espouse the benefits of investing in the tokens. However, applying the fourth prong of this test can be problematic and will depend significantly on the specific facts and circumstances of the offering, the function of the token, and the operation of the underlying enterprise.

Continue reading on CarltonFields.com >>

There’s No Flying Under the Radar: Why Small Businesses Should Get Smart About Information Security

All Resources// Cybersecurity

The latest publication by the National Institute of Standards and Technology (NIST), entitled “Small Business Information Security: The Fundamentals,” aims to promote and assist small businesses in their efforts to manage information security risks. Written by Celia Paulsen and Patricia Toth, the report speaks directly to the needs of growing businesses and suggests that the security of information, systems, and networks should be a top priority. Overall, the report explains some of the security issues unique to small businesses and offers a guideline for safeguarding information to help those businesses thrive. Below are several key takeaways from the report.

Small Businesses are Particularly Vulnerable

In many ways, small businesses have even more to lose than large ones simply because an event—whether a hacking, natural disaster, or business resource loss—can be incredibly costly. The report begins by noting that while cybersecurity improvements by some businesses have rendered them more difficult attack targets, this has led hackers and cyber criminals to focus more of their attention on less secure businesses. One reason for this is that small businesses, including startups, often lack the resources to invest in information security as larger businesses can. Many fall victim to cyber-crime. In a later comment on the report, author Pat Toth stated, “[s]mall businesses may even be seen as easy targets to get into bigger businesses through the supply chain or payment portals.” She continued, “[small businesses] may have more to lose than a larger organization because cybersecurity events can be costly and threaten their survival.”[i] National Cyber Security Alliance research adds further credibility to this assertion. It found that 60 percent of small businesses will close down within six months following a cybrattack.[ii]

Information Security is Good for Business

Another of the report’s goals is to refute the notion that information security is too cumbersome a task for a young business to undertake. In fact, investing in proper security is potentially excellent for business. Protecting customers’ information as well as personal employee information is a critical component of good customer service. Furthermore, a robust information security program can help small businesses grow and retain customers as well as employees and business partners. Nowadays, customers not only appreciate but have also come to expect that their sensitive information will be protected from theft, disclosure, or misuse. Therefore, it is necessary that your business protect customers’ information to establish their trust as well as increase your business. Additionally, business partners and vendors want to know that their information, systems, and networks are safe when doing business with you; therefore, it is important to be able to demonstrate that you have a method to protect their information.

Get to Know Your Unique Risks

First, identify the information your business stores and uses. This may involve listing all the types of information your business stores or uses, including customer names and email addresses, receipts for raw material, banking information, and other proprietary information. Next, determine the value of your information – if not by dollar amount, by rank in comparison to other risks. Then, develop an inventory of technology, both hardware and software. Last, understand your threats and vulnerabilities in the areas of confidentiality (e.g. theft or accidental disclosure), integrity (e.g. accidental alteration, intentional alteration), and availability (e.g. accidental destruction, intentional destruction).

Safeguard Your Information

The report recommends a five-step process.

  1. Identify. Start by controlling who can access your business information. Consider physically locking laptops and mobile devices when not in use, conducting background checks, requiring individual user accounts for employees, and creating policies and procedures for information security.
  2. Protect. This can include limiting employee access to data and information, installing uninterruptible power supplies (UPS) and surge protectors in case of an electricity interruption, updating and patching your software, installing firewalls, securing wireless access points and networks, setting up web and email filters, encrypting sensitive business information, properly and quickly disposing of old devices, and training employees regarding security policies and procedures.
  3. Detect. In a security emergency, time is of the essence. Swift discovery of breaches is essential. To assist, consider installing updates to anti-virus and allowing for automatic updates as well as maintaining logs of firewall and anti-virus activity.
  4. Respond. In a security event, the impact and ultimate cost of a breach may be contained or even reduced by implementing a disaster plan. Employees should be trained according to a developed plan that set out employee roles and responsibilities, protocol for shutting down or locking computers, whom to contact, and triggering events for when the plan should go into effect.
  5. Recover. In the wake of a security event, the goal of your business will likely be to resume normal operations as soon as possible. As such, consider making full backups of important information, such as on an external hard drive or cloud, and doing so often. Additionally, it may be worthwhile to invest in cyber insurance as well as ongoing technology improvements.

Everyday Tips for Working Safely and Securely

The report emphasizes the importance of employee training, and states that although cyber-criminals are becoming more sophisticated, many still use well-known and easily avoidable methods in their attacks. Therefore, employee awareness and training in the following areas may provide significant protection.

  • Pay attention to the people you work with, the people you contract with, even the people who share your building. If a security event affects your neighbors, it is likely you are at risk as well.
  • Be extremely careful opening email attachments and web links. Do not click on a link or open an attachment that you were not expecting to receive. Perhaps the most common way malware is distributed is via email attachments or links embedded in email.
  • As much as you can, try to use separate personal and business computers, devices and accounts, because personal devices are often less secure and could expose you to increased risk. In addition, do not connect personal or untrusted storage devices to your business computer.
  • Only download software from reputable sources.
  • Be aware of social engineering, which is an attempt by wrongdoers to obtain physical or electronic access to your business information by prying information from you via manipulation.
  • Never give out a username or password. Speaking of passwords, try incorporating random sequences of letters and special characters into them. Try also to use multiple forms of authentication (e.g. dual-factor authentication by text).
  • Use a secure browser connection whenever possible.

Do Not Throw In the Towel

While it is impossible for any business to be completely secure, the report assures that it is both “possible—and reasonable—to implement a program that balances security with the needs and capabilities of your business.” You need not be a cybersecurity expert to develop an effective plan. In fact, you may find it best to outsource some or all of your security needs. Consider it an opportunity to network by asking around for recommendations. Additionally, in some cases, large organizations may help their small business suppliers analyze their risks and develop an information security program. For a deeper dive into the details of implementing an information security protocol that will work for your growing business’s unique needs, read the full report here.

The author would like to acknowledge the contributions of Gail Jankowski in the preparation of the alert.

[i] https://www.nist.gov/news-events/news/2016/11/new-nist-guide-helps-small-businesses-improve-cybersecurity#
[ii] https://staysafeonline.org/stay-safe-online/resources/small-business-online-security-infographic

Companies Can Help Keep Cyber Insurance Prices Reasonable

All Resources// Cybersecurity// Insurance

In speaking to a cybersecurity conference in 2012, then FBI Director Robert Mueller told attendees that there are only two types of companies: those that have been hacked and those that will be. Sadly, with each passing day, those words seem more prophetic. As anyone who follows the news knows, even the federal government has not been immune from being hacked.

The list of large commercial companies that have been hacked reads like a who’s who of the business world. Companies such as Target, Anthem, Adobe Systems, Inc., Home Depot and Sony have suffered major cyber-attacks on personal data held by each company. Corporate counsel have also reported that they expect the next wave of class action lawsuits to be in data privacy due to increased hacker activity, more frequent internal protocol and security lapses and ongoing consumer and business sensitivity regarding data sharing and use. It is becoming more evident that cybersecurity breaches have emerged as one of the preeminent threats to commercial companies.

Read: Companies, Through Best Practices, Can Help Keep Cyber Insurance Prices Reasonable

Republished with permission by Bloomberg BNA’s Corporate Counsel Weekly.

9 Things Employees Should Do to Prevent Data Breaches

All Resources// Cybersecurity// HR & Employment

Businesses are facing increased financial burdens due to the rise in data breaches caused by malicious and criminal attacks. In addition to the obvious costs incurred to detect and fix the effects of a breach, lost business is potentially the most severe consequence. And lost business can translate into lost jobs. It is often said that it takes a village to defend against cyberattacks. Employees of every organization must realize that they are members of that village, and need to do their part to protect their employer. Avoiding employee mistakes that lead to inadvertent failures will free up valuable resources to fight the bad guys—and may save your job.

The sooner an incident response starts, the greater the chance of managing the incident successfully and minimizing any damage…

Employees should adopt the following “safe” practices to minimize their mistakes and help thwart criminals:

1. Avoid Password Re-Use

  • Use a different password for each system you access, and make it secure and complex—for example, don’t just increase a numeric value as you change systems.
  • Use a password manager (for example, LastPass, 1Password, or KeePass) to manage your passwords, and ensure you use a complex passphrase for the password manager.
  • Specifically, don’t use your work username/password combination for personal systems.

User awareness of the dangers of password re-use has evolved. For instance a 2003 report indicated 65 percent of users used the same password for different applications or services. By 2013, that figure reportedly fell to 55 percent. Password re-use is one of the single biggest threats to account security if two-factor authentication is not used. Consider the recent Ashley Madison data breach that allowed more than 11 million username and password combinations to be released into the wild. The threat, if those passwords and usernames were also used to access those users’ email, bank, or other system accounts, is obvious and far exceeds exposure and embarrassment.

The 2015 Verizon Data Breach Report, as quoted in an IT industry blog, said “… we find that most of the attacks make use of stolen credentials…” and “Over 95% of these incidents involve harvesting creds [sic] from customer devices, then logging in to web applications with them.”

2. Where Possible, Use Multi-Factor Authentication

Your employer may require this for your corporate systems, but increasingly it is also available for personal systems. Google Two-Step Verification is available for Android and Apple phones/tablets, and provides two-factor authentication to Google applications. For instance, increasingly, work and personal matters intermingle in electronic messages and documents. Multi-factor authentication provides another barrier against having one username and password provide access to multiple systems.

3. Don’t Click That Link!

Your bank will never email you a link that asks you to enter your name, social security number, and password into a form full of spelling mistakes. These requests are as suspect as pleas from Nigerian princes. In 2015, phishing, spear phishing, and ransomware attacks have been prevalent across all types of businesses and companies. Some look more real than ever.

Instead of following emailed instructions to call or click, you should generally go directly to your bank’s website or call from a number you have (perhaps found on the back of a credit or debit card). Phishing and spear phishing are used to collect data or propagate malware.

4. Change Your Passwords Regularly

Even with two-factor authentication, passwords remain the first line of defense. Use your password manager, and change your passwords every 90 days. Some password managers will automate this for you, going through all your saved sites and changing the current complex password to a new one, and storing that information for you in the password manager database. Why does this matter? Let’s consider the Ashley Madison breach again—the username and password combinations are available. The passwords are encrypted, but given enough time and computer power, they will be decrypted (more than 11 million have been so far, as noted earlier). If you use a complex password and change it regularly, you will ideally be using a new password by the time a breach occurs and your old password is broken.

5. Practice Safe Wi-Fi

If you use a computer, cellphone, or tablet on a public Wi-Fi, are you secure? Usually, perhaps. But cheap technology exists to create fake Wi-Fi hotspots that capture your network traffic, usernames, and passwords. Consider investing in a personal VPN, or ask your IS/IT department about access to a corporate one. This tool will encrypt your network traffic at its source, before pushing it out over an unencrypted, and potentially compromised, public Wi-Fi network. This guidance applies at coffee shops, train stations, airports, shopping malls, and anywhere else with “free” Wi-Fi. In these places, think carefully about transmitting a username and password without additional protection.

6. Keep Your Devices Close and Consider Their Contents

If you lose a cellphone, do you have the ability to wipe its contents? What if its data is compromised before you can do that? Always know the location of your phone, tablet, computer, etc. Know whether you’ve set up “Find My iPhone”—or a similar remote location tracking app or service—and how to use it. Your company may be able to lock or wipe your phone as well, you’ll have to ask. Similarly, while you probably do need to have all of your company contact details on your phone, consider whether you really need complete copies of all your corporate data. Perhaps you only need the information you’re currently working on. Consider using secure cloud storage services, or keeping your data on corporate servers, and accessing it remotely, rather than downloading it locally.

7. Patch Baby, Patch!

Your company is (hopefully) patching your computer regularly—you should do the same for your home computer(s)—and also do software updates for your cellphones and tablets. Undisclosed and uncorrected computer application vulnerabilities are an ever-present threat, and may involve additional patches out of sequence to the usual patch release cycle. This kind of threat is usually well publicized across the web. Turning on automatic updates and/or notifications on your computer and other devices may also help.

8. Remember the Physical World!

Walking away from your computer to get a cup of coffee? Lock the screen. Put a lock code on your cell phone. Don’t leave devices unattended in public spaces—you risk their physical theft, and exposing sensitive company information.

Bank statements? Credit card bills? Utility bills? If you’re not keeping them, don’t just throw them away, shred them. At your office, don’t throw away anything that includes company information, such as sales figures, contact information, and marketing plans. Shredding should be your default option. Harvesting information from improperly disposed of paper is one form of information gathering used for identity theft or systems breaching.

9. Notify Early

If you think a breach or other failure has occurred, talk to somebody, such as your computer security officer or CIO, or call your bank’s fraud hotline. The sooner an incident response starts, the greater the chance of managing the incident successfully and minimizing any damage. The Verizon DBIR mentioned earlier also notes that attackers who get into a system can be there for up to 205 days on average before their presence is known. That number can be brought down through vigilance and reporting anything that appears unusual. Perhaps your user account was locked out when you got to work today. It may, or may not, mean something.

So, talk to your security team.

We all love being able to access the Internet during the work day. But as attacks continue and losses increase, employers may be forced to limit such access in ways that most employees will find inconvenient. Therefore, employees should take seriously the importance of their efforts in “cyberhygiene.”

Originally published by JD Supra Perspectives.

How a Monthly Lunch Can Protect Your Company in a Data Breach

All Resources// Cybersecurity// HR & Employment

After hackers steal customers’ credit card numbers or a company’s trade secrets, it is far too late for the corporate chiefs of public relations and information technology to learn one another’s names and responsibilities.

That’s why, based on our experience as legal counsel to companies in crisis, we recommend that a company’s senior PR person should have regular monthly lunches with its head of IT security.

Here, we explain why the IT-PR relationship is critical for an effective media response to a data breach.

A Careful Strategy

Without a careful PR strategy, even a routine data breach can morph into a consumer class action, a regulatory investigation and a two-hour CNN special. During a crisis, if the corporate spokesperson lacks a basic IT vocabulary or if IT staffers speak to the press without preparation from the PR department, then a company’s public statements will be uninformed, rambling or rogue — rather than accurate, on-message and approved. Soon, even a breach that a company’s IT professionals have already detected, assessed and remediated can morph into a disaster for the corporate reputation. And the PR department would bear the blame.

One example is the December 2013 data breach at Target, in which hackers accessed the credit card information of 40 million customers and the data files of 70 million customers during the holiday season by infiltrating checkout machines with malware.

Target, exhibiting signs of a brushfire mentality, had to correct various initial statements regarding the breach’s scope, duration and data types. In particular, Target did not clarify that different types of information were accessed for individual consumers over a period of time. Within six months, both the CEO and the chief information officer had resigned, and litigation had increased.

Home Depot disclosed a similar “point-of-sale” data breach in September 2014. The hack was similar in size and scope to Target’s, but lasted longer. Unlike Target, Home Depot initially disclosed limited information about the breach, by announcing that the company was investigating a data breach. Home Depot exhibited greater press discipline and didn’t make any outside communications until the company had a coordinated message. And when Home Depot updated the press on its investigation, it only announced solid information. This example reinforces the idea that waiting to say something meaningful beats  saying something wrong nine times out of 10.

A Focus on Education

One culprit behind poor data breach responses is a lack of effective communication between a company’s PR experts and its IT department. Their résumés, backgrounds and cultures differ. Public relations works with wire services, buzzing phones and need-it-yesterday requests for quotes. IT works with systems updates, multiple monitors and all-night coding sessions. But when a data breach engulfs a company, silos don’t serve anyone.

For these reasons, a company’s senior PR person — the person designated as communications lead during a data breach — should regularly connect with its head of IT security. Monthly lunches provide a great environment for these meetings, where there are several goals to keep in mind.

Educate the spokesperson about:

  • What data the company maintains
  • What steps the IT team has taken to safeguard against data loss
  • What the most likely threats are to that data and how the company would learn of an attack, if it occurred

Educate the IT chief about:

  • The responsibilities of the company’s PR professionals and the impact of the company’s public messaging on its bottom line
  • The types of media that cover the company
  • The company’s media strategy related to data breaches, how to direct media inquiries, who from IT will interface with PR and vice versa, and whether the company will use an outside agency

The paramount goal is to build “top-to-top” trust and rapport between the two departments.

An Improved Relationship

There are also several benefits of this improved relationship:

  • Avoids a situation where the IT head has to contain a data breach in real time, while explaining the company’s sensitive network infrastructure to a stranger, who must then transform that explanation into an educated public message
  • Allows the spokesperson to ask follow-up questions in a non-crisis environment, translate the tech language into effective sound bites and draft a better PR strategy for data-loss events
  • Ensures that IT deploys its finite budget to protect against the types of data breaches that would most impact the company’s reputation
  • Builds a confident, knowledgeable spokesperson — arguably one of the most effective ways to fortify the confidence of a company’s customers and investors after a data loss, and reverses or blunts a negative news cycle

Mindful planning cannot stop a breach, but it can result in a well-managed one. The short-term impact of an individual company’s media response to a data breach can make the difference in consumers’ confidence in that company in the long term.

Copyright 2015 by Public Relations Tactics. Reprinted with permission from the Public Relations Society of America (PRSA.org).

What Every Company’s Board Must Know About Cybersecurity

All Resources// Cybersecurity// Securities

In recent years, data breaches at some of the world’s largest corporations have made news. But smaller companies are just as vulnerable, and must take steps to protect their data. In addition, businesses that serve as vendors to other businesses face increased scrutiny of their cyber preparations. The board of directors plays a critical role in this effort, as Jo Cicchetti, Chair of the Carlton Fields Data Privacy and Cybersecurity Task Force, explained during a recent conversation.

Why is cybersecurity a board concern?

The board’s primary responsibility is to protect the company’s assets and interests on behalf of the shareholder, and cyber risks pose serious threats to the business operations and reputation of the business. So, the board must take into account cybersecurity risks as part of its enterprise risk management duties.

Describe the risks posed by a breach?

If the worst happens, a company could sustain financial and business losses, damage to its infrastructure and reputation. Customers, business partners and regulators could bring legal actions. Class actions from customers could result, and the board could face shareholder derivative suits, alleging that it and its members did not meet their duty of care and/or duty of loyalty to the corporation. Not to mention regulatory enforcement actions that could also result. So, the stakes are high.

What must the board know about cybersecurity?

Board members are not charged with becoming IT specialists—they don’t have day-to-day management responsibility for the issue. But the board needs to know that cyber risks are being handled properly, that the company is taking steps to prepare for any cyberattack, can detect cyber intrusions and when they do happen can respond properly. It must make sure that management has an incident response plan. The board must ask its managers—such as the chief legal officer, chief privacy officer and chief information security officer—particular questions such as: How is the company managing data security? Do we have internal written information security programs [WISPs]? What are the threats particular to the company’s business? What security framework is the company using? Which risks to avoid, accept, or mitigate and what is the plan related to each? How are employees being trained? How do we manage our vendors? What plan is in place for breach response, and who is in charge of that plan?  Those are just some of the questions, but the important thing is that every department of the company—legal, IT, HR, operations—needs to communicate and work together. There can’t be a silo mentality.

How active a role should the board take with respect to cybersecurity?

Board members must take a regular and active role to make sure that cybersecurity and data governance issues are regularly reported to them by management. The topic should appear on the agendas for their quarterly meetings, and someone from either IT or the general counsel’s office should make a report addressing what’s happened in the last quarter—have there been incidents or events, and how have they managed any situations that arose? Vendor compliance should also be discussed, as well as any threats that result from customers’ and third-party access to company information systems, and how to address them. Also, the board needs to know that the right professionals are in place to advise the company.

Who are the right professionals?

A company needs access to technology experts, forensics experts, and privacy counsel. They need not necessarily be on staff, but must be identified and retained in case their services are ever needed. Everybody needs to be prepared and ready to go if a problem develops. You also need to have outside counsel onboard. The first 24 hours are critical. Retaining a public relations professional is also a good idea.

How else can the board help prevent data breaches?

The board cannot prevent data breaches, but there is a lot that can be done, and the board needs to know that the right steps have been taken. For example, employee training programs are critical because data breach situations often arise as a result of employee error or misconduct. There must also be a protocol or plan for incidents, and vendor due diligence and oversight is also important. Protecting against threats requires a multidisciplinary approach that involves the chief legal officer, chief information security officer, and human resources all working together. And, board members need to ask these people the right questions, which might include: What security frameworks are we using? Which company assets are the ‘crown jewels’ that need protection? What are the legal implications of cybersecurity incidents, and how do we avoid them? What risks should we accept? Do we get insurance? How are our employees being trained? What kind of testing do we do?

What role should cyber risk insurance play in a company’s overall plan?

Right now, cyber risk insurance is an evolving area. It is very expensive and doesn’t eliminate a company’s need to have a data security plan and proper implementation. The insurance company underwriting the policy will want to know that the company is taking the right steps before it insures the risk. Ultimately, if a company hasn’t done what it told its insurance company it would do, its coverage could be jeopardized.

How do state breach laws impact a company’s data breach strategy?

There is a patchwork of 50 state laws. A company’s legal department must understand the legal requirements in each of the 50 states. Normally, companies solve to the most difficult jurisdiction, setting up procedures that comply with the most stringent requirements where possible. The process is further complicated by the fact that states also differ in how they define a breach. And the laws are constantly changing. For companies without large internal legal resources, outside experts—such as privacy lawyers and technology consultants—are critical.

Is there any way to eliminate the risk?

There’s no way that anyone—even an organization with all the money and time in the world—can prevent attacks 100 percent of the time. Even the NSA, with its unlimited resources, was hacked. Companies just need to make sure they’re taking reasonable steps to deal with the risks and continue to stay informed. This is an area where it is very important to keep up with the Joneses.

How Companies Can Protect Their CEOs and CFOs from the “Business Email Compromise”

All Resources// Cybersecurity

Cyber scammers continually innovate new means to extract valuable information from unsuspecting victims. And a new form of cyber fraud is exploiting the close relationship between CEOs and CFOs. Identifying this threat — and the means to prevent it — is important for employees in IT, finance, and compliance.

Plenty of Phish in the Sea

First, some definitions. “Phishing,” the use of online communications such as mass emails or recorded telephone calls to trick users into giving out sensitive information, has become routine. In phishing, the criminals often pose as a legitimate company to obtain financial or personal information. “Spear phishing” is a targeted phishing attack against specific individuals within specific companies, in which the fraudsters deploy personalized emails or other forms of online contact. Spear phishing’s high-achieving younger brother — “whaling” — uses the same techniques to aim tailored lures at upper management. Successive spear phishing often precedes a successful whaling attack, as the criminals climb the corporate ladder with the ultimate goal of parting the company from its money or committing corporate espionage.

The “business email compromise” is a similar scheme that targets businesses working with foreign suppliers. In this fraud, the criminal uses a spoofed or hacked email address of a business insider to prompt the business to transfer an urgent wire to the hacker’s account.

This article will explain a form of the business email compromise that borrows elements of whaling to target CEOs and CFOs. We will then suggest some methods to defeat it.

In whaling, successful attackers first research the executive’s social media sites, corporate webpages, and professional writing so that the email or phone call that lures the executive is tailored enough to avoid suspicion. The criminal’s initial legwork also determines what level of access the executive has to company secrets or what might be the easiest way to part the executive from her money or credentials or the company’s funds or intellectual property. The scammer may pose as the company’s bank, the CEO’s private banker, a BMW salesperson, or a family member. The goal of traditional whaling is often to obtain bank account or other personally identifiable information from the executive, for later use in identity theft.

Although whaling is usually done in small numbers, perhaps the best known example is a large one. In 2008, scammers sent thousands of C-suite executives an email message that appeared to contain official subpoenas from a federal court in San Diego. The email text contained the executive’s name, company, and phone number. The link embedded in the message promised access to the full subpoena, and, when clicked, prompted the recipient to first download a browser add-on. The downloaded file secretly contained a program that captured the executive’s keystrokes, which it transmitted back to the hackers, capturing passwords and corporate information. In total, approximately 2,000 of the targeted executives fell victim.

And these crimes persist. In May of last year, the U.S. Department of Justice announced the federal indictment of five Chinese military officials for what amounted to a major whaling operation waged against six U.S. companies. At one victim company, these officials allegedly posed as the company CEO in sending an email to approximately 20 employees, which contained a link to malware that allowed the officials “back door” access to the company’s computers.

Re-Baiting the Hook

The whaling version of the business compromise email, and a variant of the scheme that is currently in vogue, has a more immediate return —its sole goal is to part a company with cash.

The scammer first either hacks into or spoofs the CEO’s email address. A spoof is an email address that appears to be the same as the CEO’s address, but is really sent from another, hidden email account. A spoof can also approximate the email address but, for example, insert an extra letter in the text preceding the “@,” change the letter “l” to the digit “1,” or add an alternate variation of the corporate standard, such as using “jeclabby@” (note the correct middle initial) rather than “jclabby@”.

After having achieved the ability to send an email that appears to be from the CEO, the scammer then sends an email from that address to another executive with the authority to wire a large amount of money on short notice, and this is often the CFO. This email will contain instructions to wire corporate money to a new account of a known corporate vendor or business partner, often at an offshore bank, and to do so as soon as possible. The CFO, wishing to be as responsive as possible to the CEO, will drop everything to execute the wire. By the time the company realizes the transaction was not authorized, sometimes by calling the actual vendor to confirm payment, the money is long gone from the recipient account or otherwise unrecoverable.

This scheme succeeds because the spoofed email itself often contains a PDF file of an invoice that appears to be from a real company that does business with the victim company and because the email text and header information otherwise contain the hallmarks of an actual business communication for the company.

But the scheme also succeeds because the criminal has deployed techniques known collectively as “social engineering,” a form of manipulation in which knowledge of human behavior is used to influence it. Through use of social engineering, the criminal gains money, information, or access not through fancy code or brute-force computer power, but through the more traditional tools of the midway grifter. In this case, the scammer marries an artificial sense of urgency (“this must be done immediately!”) with the target employee’s desire to please his boss. The scheme succeeds because the CFO’s special relationship with the CEO fogs his vision of the fraud that is right in front of his face.

How to Stay Off the Dinner Plate

Advice to lock your door at night does little to stop you from opening that door to a criminal who is dressed as a police officer. Similarly, firewalls and antivirus software have limited effect against a business compromise email targeted at senior executives in this fashion. The following tips will help you develop a program at your company to combat this type of fraud:

  • Strengthen Controls Around Irregular Wires: Review and strengthen the controls around wire transfers, and, in particular, international wire transfers. This could include (i) requiring two forms of communication (both email and phone, both text and email, etc.) before a wire will issue; (ii) requiring approvals from two different persons apart from the requestor to initiate a wire; or (iii) authenticated contact with the recipient party at the supposed foreign vendor before an internally authorized wire will issue. In (i) above, another best practice is for the recipient of the CEO’s request (in our examples, the CFO), to initiate the follow-up phone call to a known company or mobile number, rather than responding to “call me at xxx-xxx-xxxx with any questions,” because the planted phone number could be a part of the spoof. Companies that face repeated attacks may also deploy more complex arrangements, including the use of rotating verbal passwords. Companies that have grown rapidly but that still rely on informal methods of communication surrounding vendor payment are particularly susceptible to this fraud.
  • Improve Training for Finance Staff: Provide regular, periodic education to all executives and employees on computer fraud, including phishing and business email compromise, tailored to the particular employee’s job description, so that they will understand the danger these attacks pose and spot potential fraud. This training should be tailored in summary fashion for the C-suite. For the line-level finance or treasury employees, including those who actually process wire transfers, training should include clear direction that suspicious wires may and should be questioned up the chain of corporate command, without retaliation, and that part of the employees’ annual evaluation will include analysis of their contribution to fraud detection. Detection of this type of fraud can be included in the company’s annual training on vendor payment fraud.
  • Fund and then Audit Company Technology: Keep your anti-phishing software, operating system, and browsers up to date with the latest patches, and empower and fund your IT and data security staff commensurate with the risk that your company faces. Ensure that your regular penetration testing includes business email compromise, or other attempt to initiate a wire through direct emails to the finance staff.

The threat of whaling should be taken seriously by companies of all sizes, and particularly by companies that rely on fast-paced payments, that have vendors with multiple or changing receiving-bank information, and where executives work remotely from one another. In a matter of seconds criminals can compromise sensitive information, wire money internationally, and leave companies devastated. To minimize their susceptibility to such a breach, companies must arm themselves with a combination of awareness, training, and preparation of the IT defenses.

Removing the Hook

If you believe your company has been the victim of such an attack, contact law enforcement, such as the Federal Bureau of Investigation, the U.S. Secret Service (through the Electronic Crimes Task Force in your city), or state or local law enforcement, to report it. If the attack is caught in progress or detected shortly after the wire transfer, get law enforcement involved immediately. Federal law enforcement’s relationships with banks and the international money transfer system, in particular, may allow them to recover your funds or, at least, collect evidence for a successful prosecution.

These attacks are embarrassing for senior executives and involve the loss of real money. As such, working through the aftermath to determine what happened, what if anything can be done to recover funds, and how to prevent a future attack, is a complex task. Consider involving experienced outside counsel to work on your behalf with law enforcement to sort through the evidence, monitor the efforts to track any disbursed funds, and otherwise protect the company’s interests. When dealing with this kind of attack, the last thing a company needs is to be alone at sea.

A Different Kind of Data Breach: Loss or Disclosure of Company Information by Employee Theft

All Resources// Cybersecurity// HR & Employment

Data breaches are all over the news, but those stories most often cover high-profile cybersecurity breaches that result from the malicious efforts of hackers or other outsiders. Just as insidious, and more likely to occur, are insider breaches in the form of the theft or disclosure of confidential company information by a current or recently departed employee.

Employee theft of company data may be motivated by a desire to monetize that data, to embarrass or retaliate against an employer, or by simple ignorance. For example, a Tufts Health Plan employee recently pled guilty to data theft after stealing customer information for more than 8,000 Tufts customers in a scheme to collect fraudulent Social Security benefits and tax refunds. In another recent case, a disgruntled employee of Morrison’s, a large UK supermarket chain, stole payroll information for thousands of the company’s employees and posted it online as a “concerned Morrisons shopper,” in addition to mailing copies to local newspapers. Finally, in one of the largest of the recent employee data theft cases, a Morgan Stanley financial advisor apparently obtained data from 350,000 Morgan Stanley clients by running internal reports on data he was not authorized to access. Some portion of that data was later uploaded online, possibly by a third party, and offered for sale.

A surprisingly large number of employee thefts, however, result from simple ignorance. In a recent Ponemon Institute survey, over half of the more than 3,000 respondents stated a belief that using competitive information taken from a previous employer was not a criminal act, reasoning that ownership of such information resides in its creator rather than the former employer. The respondents further justified transferring corporate data to their personal computers, tablets, smartphones, or to “the cloud” because of a belief that it didn’t harm the company, because the company didn’t enforce its policies, because the information was unsecured or generally available, or because that employee wouldn’t receive any economic benefit from doing so. Worse, in this same survey, more thanhalf of the employees surveyed admitted to taking information from a former employer and 40 percent of those employees admitted they intended to use it in a new job.

These disturbing statistics raise the question: What can employers do to prevent these losses? While there is no absolute preventative measure, steps can be implemented to greatly reduce the risk of such thefts and to detect any ongoing employee theft.

1. Implement Protective Policies and Agreements

Limit access to sensitive information to only those employees whose jobs require such access. This may include customer, employee, or vendor data, in addition to any other generally proprietary corporate data, such as financial models, formulas, etc. Access to the company network should be discontinued immediately upon termination of the employee or receipt of notice of intent to leave. The employer should also require that company laptops and other devices be immediately returned at that time. An additional benefit of limiting access to corporate information is that it makes the data far more likely to be considered a protectable trade secret under the Uniform Trade Secrets Act, which defines a “trade secret” as information that has been the “subject of efforts that are reasonable under the circumstances to maintain its secrecy.”

Put the company’s data security policies in writing

For example, the company’s employee handbook/manual/agreements should require employees to access and store company data only on company-owned devices and should further include a statement that the employee’s authorization to access the company’s network ends automatically when employment ends or when that employee has given notice of an intention to leave.

Implement appropriate restrictive covenants

These may go beyond the usual non-competition, non-solicitation, or non-disclosure clauses to include garden leave provisions, notice provisions, or forfeiture clauses. It is important to note before utilizing these provisions, however, that the enforceability of each varies significantly by state. Legal counsel should be sought before they are put in place.

Implement detection measures

To the extent possible, utilize your IT department to implement detection measures such as data loss prevention software (which limits the end user’s ability to transfer certain data and/or notifies the employer when an attempt to do so has occurred) or to monitor departing employees’ online activity in the last 30 days of employment. Studies have shown that 70 percent of intellectual property theft occurs within 30 days of an employee’s resignation announcement. Setting aside electronic means of detection, many data breaches are discovered by tips from other employees, which are more likely to be forthcoming if they can be made anonymously. Consider establishing a hotline that employees can use to report misconduct. Also, be aware of other red flags that may arise with respect to departing employees, i.e. statements regarding the employee’s desire or ability to harm the company, employee’s accessing of files not commonly used by that employee, or social media traffic that indicates an employee’s intentions to take corporate data to a competitor or use it as a basis for a new venture.

2. Educate Employees Regarding the Company’s Data Security Policies

The company must be clear with employees regarding the ownership of its intellectual property, appropriate use of company data, and the company’s willingness to enforce its rights if necessary. Employees should be informed of the employer’s data security policies at the time of hire. This should include, but not be limited to, a discussion of these policies in the interview, providing the employee with copies of all such policies, execution of appropriate restrictive covenants, and a request that the employee provide the company with copies of any restrictive covenants they have entered into with previous employers. Employees should then be reminded periodically throughout the term of their employment of the company’s data security policies, which can be as simple as a periodic reminder email from the company’s IT department or management. And, finally, the employee should be reminded again at the time that employment ends. This should be done in the exit interview, by follow-up letter, and by providing an additional copy of any restrictive covenants and data policies.

In the 2012 Global Fraud Study, conducted by the Association of Certified Fraud Examiners, researchers found that management’s failure to set the right ethical tone—i.e., that the company expects ethical behavior and treats its intellectual property and other proprietary data seriously and with appropriate care—was among the primary factors cited as the cause for employees’ theft of data resulting in a loss of $1,000,000 or more. Unsurprisingly, a lack of internal controls was, by far, the largest factor contributing to such thefts without regard to size.

3. Enforcement of Policies and Agreements

Depending on the applicable state law, a variety of civil claims may be available where data is stolen by a former employee. These may include, but are not limited to, breach of contract, misappropriation of trade secrets, violation of the Computer Fraud and Abuse Act, conversion, tortious interference with contract or business opportunities, or, depending on the role of the departing employee, breach of fiduciary duty.

Criminal penalties may also apply but are outside the scope of this article.

While many companies have employed substantial resources to protect against outside threats, such as hackers, worms, or viruses, the risk of an internal threat often goes unaddressed. The great majority of data leaks, however, are caused by company insiders. To best address and prevent data loss, companies must first recognize and address this problem at its source.